Evoko Overview Unquoted Service Path Vulnerability
As of writing affects version 2.0.4 & 2.0.3
Last updated
As of writing affects version 2.0.4 & 2.0.3
Last updated
Evoko Overview, a display system used with Evoko Home meeting room solutions, contains a vulnerability in its service configuration. The Evoko Overview service is installed with an unquoted ImagePath in the Windows Registry and runs with SYSTEM privileges. This combination of factors allows a potential attacker to exploit a common weakness (CWE-428) by introducing a malicious executable into the system PATH. NOTE: An attacker must have the ability to write to either of the following directories in order to abuse this vulnerability:
The vulnerable registry entry typically appears by default as follows:
The lack of quotation marks around the file path means Windows will search the entire system PATH for the executable "nssm.exe". If an attacker places a malicious file with this name earlier in the PATH, the Evoko Overview service will unknowingly execute it with the elevated privileges of the SYSTEM account. This could lead to complete compromise of the affected system.
Successful exploitation of this vulnerability can have severe consequences:
Privilege Escalation: An attacker can gain SYSTEM-level control, the highest possible privilege level on a Windows system.
System Compromise: The attacker can install malware, exfiltrate sensitive data, or perform other malicious activities.
Lateral Movement: The compromised system can be used as a foothold to attack other systems on the network.
As of writing this vulnerability has been discovered in version 2.0.4 & 2.0.3
To mitigate this vulnerability, administrators should modify the registry entry to include quotation marks around the ImagePath:
This ensures that Windows only executes the legitimate "nssm.exe" file located in the specified directory.
Biamp, the vendor of Evoko products, has acknowledged this vulnerability and committed to releasing a patch in a future version of Evoko Overview. However, a specific timeline for the patch has not been provided.